CVE-2023-46497: 
JavaScript vulnerability analysis and mitigation

Directory Traversal vulnerability was discovered in EverShop NPM versions before v.1.0.0-rc.8, identified as CVE-2023-46497. The vulnerability allows a remote attacker to obtain sensitive information via a crafted request to the mkdirSync function in the folderCreate/createFolder.js endpoint. The vulnerability was published on December 8, 2023, and affects all EverShop NPM versions prior to version 1.0.0-rc.8 (NVD).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS v3.1 base score of 5.4 (MEDIUM). The vulnerability stems from missing input validation in the 'mkdirSync' function in 'createFolder.js'. From the feature for adding an image to a Product's 'Description' field, attackers can create new folders in unintended locations by navigating backward with '../'. The attack complexity is LOW, requires network access, and HIGH privileges, with LOW integrity impact and CHANGED scope (Checkmarx).

The vulnerability allows attackers to traverse the server's root directory, potentially gaining access to arbitrary files and folders such as application code & data, back-end credentials, and sensitive operating system files. In severe cases, this could affect system processes and impact the integrity, confidentiality, and availability of the application (Checkmarx).

Users should upgrade to EverShop NPM version 1.0.0-rc.8 or later to address this vulnerability (NVD).